OWASP OVAL Content Project

Main

This project’s goal is to create standardized assesment documents (in OVAL XML format) for various application platforms such as .NET, Java, PHP etc. For example, there are several settings like Web.Config file which impacts security of ASP.NET web application. Likewise, PHP.INI has several security related settings. By creating OVAL definitions for these checks, it will enable any OVAL compatible tool (including the free OVAL Interpreter) to perform these checks.

Open Vulnerability and Assessment Language (OVAL®) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services.

This project will strive to create OVAL content (which are simply XML files) for common security mis-configurations. For example, refer to http://www.codeproject.com/KB/web-security/web-based-applications.aspx for list of top 10 Application Security Vulnerabilities in Web.config Files which may impact any ASP.NET web application. Each of these security settings can be tested easily by writing corresponding OVAL checks. In this particular case, xmlfilecontent_item can be used.

There are already free tools (OVAL Interpreters) available which can be readily used to check content conforming to OVAL standard.

OVAL community is quite active and there is fast amount of content available in OVAL repository maintained at MITRE website.

By providing standard OWASP reviewed OVAL content to general public, this project goal is to make it easier for anyone involved in finding configuration related vulnerabilities in any web application platform